Privacy Policy

Last updated: March 2026

Waiton Limited ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website, our WaitOn hotel management platform (app.waiton.co.uk), and our related services including leased smart devices.

We are registered in England and Wales under company number 17058693. Our registered office is at 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE.

For the purposes of UK GDPR, we are the data controller in respect of the personal data described in this policy, except where we act as a data processor on behalf of our customers (as set out in section 6).

1. Data We Collect

1.1 Information You Provide

  • Account and contact data: Name, email address, phone number, job title, and organisation details when you sign up, use our contact form, or communicate with us.
  • Platform usage data: Data you input into the WaitOn platform as a customer, including guest requests (e.g. room service, housekeeping), employee assignments, locations, custom request types, and related operational data.
  • Support and correspondence: Communications with our support team, feedback, and any other information you choose to provide.

1.2 Information We Collect Automatically

  • Usage and device data: IP address, browser type, device information, pages visited, and how you interact with our website and platform.
  • Device and hardware data: For leased smart devices, we may collect device identifiers, status, battery levels, connectivity, and diagnostic data to support and maintain the service.
  • Cookies and similar technologies: As described in section 5.

2. How We Use Your Data

We use your personal data to:

  • Provide, operate, and maintain our software, hardware, and managed services
  • Create and manage your account and authenticate users
  • Process transactions and send related communications
  • Respond to support requests and enquiries
  • Send service-related notifications (e.g. alerts, system updates)
  • Improve our products and services, including analytics and product development
  • Comply with legal obligations and enforce our terms
  • Send marketing communications (where you have consented or we have a legitimate interest)
  • Monitor and protect the security of our systems

3. Legal Basis for Processing

Under UK GDPR, we process personal data on the following bases:

  • Performance of a contract: To provide our services under our agreement with you.
  • Legitimate interests: To operate our business, improve our services, prevent fraud, and communicate with you about the service.
  • Consent: Where you have given clear consent (e.g. for marketing emails or non-essential cookies).
  • Legal obligation: Where processing is necessary to comply with the law.

4. Sharing and Disclosure

We may share your data with:

  • Service providers: Third parties who help us operate our business, such as cloud hosting (e.g. AWS), authentication (e.g. AWS Cognito), analytics, email, and support tools. We ensure appropriate contracts are in place.
  • Professional advisers: Lawyers, accountants, and insurers where necessary.
  • Regulators and law enforcement: When required by law or to protect our rights.

We do not sell your personal data. We may transfer data outside the UK where appropriate safeguards are in place (e.g. adequacy decisions, Standard Contractual Clauses).

5. Cookies and Tracking

Our website uses cookies and similar technologies. We use:

  • Essential cookies: Necessary for the website and platform to function (e.g. authentication, session management).
  • Analytics and marketing: Google Tag Manager and related services to understand how visitors use our site. We may use HubSpot for marketing and support.

You can control non-essential cookies through your browser settings or our cookie preferences (where available). Blocking essential cookies may affect functionality.

6. Our Role as Data Processor

When you use our platform and input data about your guests, employees, or operations, you are the data controller for that data. We act as a data processor and process it only on your instructions to provide the service. We do not use that data for our own purposes beyond delivering the service. Our data processing agreement with you sets out our respective obligations.

You must ensure you have a lawful basis and, where required, consent to provide such data to us and to enable us to process it.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law. This may include:

  • Account data: For the duration of your relationship with us and for a reasonable period thereafter (e.g. for legal, tax, or dispute resolution purposes).
  • Platform data: For the term of your subscription and for a limited grace period after termination to allow data export.
  • Marketing data: Until you withdraw consent or object, or we no longer need it.
  • Legal/regulatory: As required by applicable laws.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Ask us to correct inaccurate data.
  • Erasure: Request deletion of your data in certain circumstances.
  • Restriction: Request that we limit how we use your data.
  • Portability: Request a copy of your data in a structured, machine-readable format.
  • Object: Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: Where we rely on consent, you may withdraw it at any time.
  • Complain: Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise these rights, contact us using the details in section 10. We will respond within one month. If you are a User of a customer's account, some requests may need to be directed to your employer (the data controller) for platform data.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes encryption, access controls, and secure cloud infrastructure. However, no method of transmission over the internet is 100% secure.

10. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us:

  • By using the contact form on our website
  • By post: Waiton Limited, 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. For material changes, we may notify you by email or through the platform. We encourage you to review this policy periodically.

← Back to HomeTerms & Conditions